DrayTek Disaster: Why Your Business Wi-Fi Just Became a Cybersecurity Liability

Cyber Security for Small BusinessesVulnerabilityNetworking
Written By Noel Bradford

Let’s start with a simple question: why are so many UK businesses still relying on bottom-shelf routers that should’ve been retired when Theresa May was still Prime Minister?

This week’s connectivity chaos — flagged by several UK ISPs and now all over the tech press — is being traced back to a lovely little security vulnerability in certain DrayTek routers. Specifically, we’re talking about older Vigor models running out-of-date firmware that rolled out the red carpet for attackers.

The tl;dr — It’s Bad

If you’re short on time (or patience), here’s what happened:

  • DrayTek routers — specifically models like the Vigor 2762, 2862, and 2926 — are under active attack.

  • Remote code execution (RCE) vulnerabilities have been exploited in the wild.

  • Victims are reporting weird DNS redirections, slow or failing connectivity, and some ISPs are proactively blocking these routers from their networks.

  • If you’re running firmware older than December 2023, you're a sitting duck. Quack.

Let’s be real—if you’ve been running these things without patching them in the last 12 months, this isn’t just a DrayTek problem—it’s a you problem.

But DrayTek Routers Are "Business Grade"

Ah yes, the classic. I can count the number of times I’ve walked into a small business or branch office and seen a DrayTek box proudly propped on a shelf like a relic from the Golden Age of DSL. These routers are often sold with a vague promise of being "business-grade." And for a while, they were.

But here’s the deal: Business grade doesn’t mean immortal.

Security vulnerabilities don’t care if your router cost £180 in 2018 and has “VPN” written on the box. If you haven’t patched it, monitored it, or even logged into it since the first lockdown, then it’s a liability — not a badge of professionalism.

ISPs Are Blocking You. Yes, You.

According to reports (notably from AAISP and others), some ISPs have started actively blocking traffic to and from affected DrayTek routers. This is not some paranoid overreaction. This is a measured response to traffic that’s:

  • behaving abnormally,

  • possibly exfiltrating data,

  • and in many cases, redirecting DNS queries in ways that scream man-in-the-middle attack.

The usual suspects include models that haven’t received firmware updates in years. Meanwhile, customers are left scratching their heads wondering why Netflix won’t load, Outlook can’t sync, and that weird Chinese IP keeps popping up in the firewall logs.

(Newsflash: That’s not your VPN working properly.)

Who’s to Blame?

This is where it gets a little spicy — because the blame doesn’t fall neatly in one direction.

  • DrayTek did release patches (eventually). So fair play.

  • ISPs are doing their best to protect their networks, even if it means kicking vulnerable kit off the grid.

  • Users (i.e., the SMEs and tech-enthusiast directors who insist on DIY IT) are... well... using 7-year-old hardware in 2025. Without updates. Without monitoring. Without a care.

Sorry, but this one’s on you.

A Minor Rant (Because Honestly…)

We wouldn’t be here if businesses didn’t treat networking like an afterthought. If your router is still something you "just plug in and forget about", you’re not running a network — you’re running a gamble.

And for the so-called “managed service providers” who put these devices in and walked away? Shame. You’re not a managed anything. You’re a plug-and-pray technician wearing a polo shirt that says "Solutions".

A proper MSP — and yes, I’ll say this out loud — would’ve:

  • Set up monitoring and alerting on the WAN interfaces,

  • Registered the device with the vendor’s firmware update service,

  • Blocked RCE attempts before they hit the web interface,

  • And replaced unsupported hardware as a matter of principle.

And the moment DNS traffic started going to weird places, they’d be the ones calling you, not the other way round.

What Does This Mean for You?

If you're using one of the affected DrayTek models and you've experienced:

  • Slow or dropped connections

  • Unexpected DNS changes

  • “Random” websites loading instead of what you typed

  • Your ISP suddenly going silent on your support requests

…you’re probably on the list.

Even if you haven’t noticed anything yet, don’t get smug. These types of attacks are designed to stay invisible until it’s too late.

What You Should Do Right Now

Here’s your fix-it checklist:

  1. Identify your router model. If it’s a Vigor 2762, 2862, 2926 — or anything pre-2021 — you need to check the firmware now.

  2. Log into the admin portal. If you’ve forgotten how, that's a sign.

  3. Update the firmware. Go to DrayTek’s support site and find the latest for your model.

  4. Change all credentials. Yes, all of them. Especially if you’ve been running with the default ‘admin/admin’.

  5. Run a virus scan on all devices. If your DNS has been hijacked, malware could be spreading internally.

  6. Consider replacing the hardware. Seriously. If it’s out of support, bin it.

And for the love of uptime, get someone to manage this stuff for you.

Let's Talk About Supply Chain Risk

Here’s the bit that gets swept under the rug far too often: if you’re a business that connects to third parties — cloud apps, banking platforms, suppliers — and you’re running vulnerable edge devices, you are the supply chain risk.

DrayTek might be the target today, but the weak link tomorrow could be your printer, your CCTV recorder, or your smart thermostat in the boardroom.

It’s all IP. It’s all connected. And it’s all your responsibility.

What Should a Good MSP Be Doing?

Not all MSPs are created equal. If yours hasn’t:

  • Mentioned this vulnerability,

  • Offered to proactively check and patch your router,

  • Flagged outdated equipment with an upgrade plan,

  • Or monitored your traffic for oddities...

...then what, exactly, are you paying them for?

Spoiler alert: if your IT provider is charging you £30/user/month and offering “unlimited support”, they’re not proactively securing your business. They’re just waiting for something to break so they can bill more time. That’s not managed service — that’s managed hope.

A good provider treats routers like firewalls, not like plug sockets. They monitor. They patch. They test backups. And they lose sleep over your risk profile so you don’t have to.

The Real Lesson Here

This isn’t just about DrayTek. It’s not even just about routers.

It’s about mindset.

If your approach to cybersecurity is “it’ll probably be fine,” then congratulations — you’re exactly the type of soft target attackers dream about.

Good security isn’t just antivirus and passwords. It’s:

  • Asset management

  • Patch discipline

  • Access control

  • DNS filtering

  • Monitoring and alerting

  • Disaster recovery plans

  • And yes, a network stack that isn’t older than your office kettle

And if you’re not confident that all those boxes are ticked? Now’s the time to fix that.

Noel Bradford

Noel Bradford – Head of Technology at Equate Group, Professional Bullshit Detector, and Full-Time IT Cynic

As Head of Technology at Equate Group, my job description is technically “keeping the lights on,” but in reality, it’s more like “stopping people from setting their own house on fire.” With over 40 years in tech, I’ve seen every IT horror story imaginable—most of them self-inflicted by people who think cybersecurity is just installing antivirus and praying to Saint Norton.

I specialise in cybersecurity for UK businesses, which usually means explaining the difference between ‘MFA’ and ‘WTF’ to directors who still write their passwords on Post-it notes. On Tuesdays, I also help further education colleges navigate Cyber Essentials certification, a process so unnecessarily painful it makes root canal surgery look fun.

My natural habitat? Server rooms held together with zip ties and misplaced optimism, where every cable run is a “temporary fix” from 2012. My mortal enemies? Unmanaged switches, backups that only exist in someone’s imagination, and users who think clicking “Enable Macros” is just fine because it makes the spreadsheet work.

I’m blunt, sarcastic, and genuinely allergic to bullshit. If you want gentle hand-holding and reassuring corporate waffle, you’re in the wrong place. If you want someone who’ll fix your IT, tell you exactly why it broke, and throw in some unsolicited life advice, I’m your man.

Technology isn’t hard. People make it hard. And they make me drink.

https://noelbradford.com
Previous

Your Bluetooth Devices Might Be Spying on You – And It’s Not Even Your Fault
Next

2-Step Verification: The Absolute Bare Minimum for People Who Actually Give a Damn